Tech firms may balk at California push for citizen data access

A lawmaker wants the state to move toward what the EU gives its citizens in terms of "habeas data" rights -- the power to request one's personal data from companies that hold it. But Silicon Valley may well fight back.

The California State Assembly, where a debate will take place later this year over a "right to know" bill that would give citizens unprecedented access to personal data held by companies.
LWY/Flickr (CC)

The European Union has long championed its citizens' right to submit requests for data that companies hold on them in order to ensure the information is up to date and correct. In recent years, an Austrian law student brought this "habeas data" right into the public spotlight by demanding his Facebook data from the social network.

Americans don't have this right -- and generally, relative to the EU, they have little legal protection from the state or federal government against data theft, unauthorized disclosures, and other privacy-related matters.

Though the EU and the U.S. have never seen eye to eye on matters of data privacy and data protection in the legislative realm, that may change in the form of a new California "right to know" law currently in the proposal stage.

That is, if Silicon Valley doesn't fight back with the full force of its political lobby.

Unprecedented level of data disclosure
Following lobbying efforts from two major U.S. privacy groups -- the Electronic Frontier Foundation and the Northern Californian branch of the American Civil Liberties Union -- California Assembly Member Bonnie Lowenthal has introduced a bill, the "Right to Know Act 2013" (AB 1291), that could force companies operating in the state to follow EU-style data and privacy rules.

The Right to Know Act would require any business that holds a customer's personal information to disclose it, free of charge, within 30 days of that customer's request. The company would also have to disclose the names and contact information of all third parties it has shared the data with during the previous 12 months. If the company declined, the citizen could file a civil complaint to force compliance. The act would make for an unprecedented level of transparency.

In a blog post, the EFF points to three safeguards included in the bill to prevent abuse of the system and protect smaller but burgeoning startups that may not have the resources to respond to such requests. These are likely to appease some tech companies, but they may not settle their worries altogether.

Companies can choose not to store unnecessary data. Or if they do store data, they can anonymize it before doing so, and before disclosing it to third parties. Removing traits that link data to a specific person would mean companies wouldn't have to respond to data-access requests. Also, if a company rejects a data-access request, it can instead provide a notice about what data will be shared and with whom -- either just before or after the sharing happens. And for companies that find that such data-access requests demand too many resources, requests will be capped at one per person for every 12 months.

The hope for some is that though the law, if passed, would be limited to California companies and residents, it could eventually extend to other U.S. states.

Such a domino effect was seen with California's laws about Web sites describing their data collection and use, resulting in privacy policies becoming a normal feature of a company's site -- and also with California's laws for data-breach notifications, which have since rolled out to 46 states following the Golden State's first enactment of such legislation, in 2002.

The probable pushback
But California is also, of course, home to Silicon Valley. And the giants of the Valley, with their large, almost limitless ability to lobby politicians, are surely paying attention to the legislative rumblings in their own backyard. After all, they've been keeping an eye on Europe.

The European Parliament in Strasbourg, France, where new European data and privacy laws will be voted on later this month.
European Parliament/Flickr

European Justice Commissioner Viviane Reding said some Silicon Valley firms began "fierce" lobbying when, in January of last year, the European Commission put forward a series of suggested changes to the next version of Europe's data-protection law. The companies wanted to alter the form of the changes, or eliminate them entirely.

Around the same time, the EFF, the ACLU, and the Electronic Privacy Information Center -- among others -- wrote to leading U.S. politicians seeking assurances that they would not, on behalf of the firms that had lobbied them, hinder the process of new European data and privacy rules.

Lowenthal's California bill may well spark a similar response. And though a proposal like Lowenthal's was ratified into law by the European Parliament in 1995, most companies throwing their hat into the lobbying ring today didn't exist then -- companies like Facebook, Twitter, and Google, which have significant political sway because of their place in California's economy.

Facebook has already labeled such laws a potential threat to its bottom line. As CNET's Marguerite Reardon has pointed out, the question for Facebook is whether the company can satisfy privacy activists and government regulators, yet still serve enough data to advertisers to make Facebook a valuable platform for targeting consumers.

In its S-1 filing with the U.S. Securities and Exchange Commission in February 2012, Facebook said:

Our business is subject to complex and evolving U.S. and foreign laws and regulations regarding privacy, data protection, and other matters. Many of these laws and regulations are subject to change and uncertain interpretation, and could result in claims, changes to our business practices, increased cost of operations, or declines in user growth or engagement, or otherwise harm our business.

And the company has direct experience with such claims. Law student Max Schrems sparked a data-access storm when, starting in 2011, he set off a chain of events that ultimately forced Facebook to alter its privacy practice.

Related stories:

Under EU law, companies must give European citizens access to data held on them. Facebook operates in the EU out of Ireland -- an EU member state -- and Schrems requested his entire cache of Facebook data. He received his data on multiple CDs with documents spanning more than 1,200 pages. But he claimed it wasn't enough and filed a number of complaints with the Irish data-protection authority.

Though Europe's laws are far from perfect -- with loopholes that still allow the U.S. government to acquire EU-based data through unauthorized channels -- they offer an unparalleled level of protection to the Union's 500-plus million population, one that's since been a model for other countries around the world. A change in California law may nudge the U.S. toward an "EU way of thinking" regarding data-protection law.

But California's legislators will have a fight on their hands. For the likes of Facebook, Twitter, and Google, the greatest threat they can throw at the state is that they'll go elsewhere to do business. The chance of such moves might be unlikely, but the possibility is enough to ruffle the feathers of the state government, which wants to keep these companies firmly in their place -- more than anything for the kudos and the tax collection purposes.

The bill is expected to be debated in the next few months. But hold onto your hats, for this will be a bumpy ride.

Facebook declined to comment for this story. We've contacted Google and Twitter for comment and will update this post when we have more information.